I have a basic Cloud Run service with IAP in front of it so that IAP can authenticate users (for the moment, just me) prior to invoking the service. The service is configured to require authentication. I think the IAP is configured correctly, but when I navigate to the URL I get a 502 Bad Gateway error with “Empty Google Account OAuth client ID(s)/secret(s).” as the response. I have a OAuth Client configured for the service with the consent screen set up complete. The load balancer is receiving traffic from the internet but it can’t find the OAuth client.
Troubleshooting steps taken so far:
-
Verifying OAuth Client ID type and redirect URIs.
-
Ensuring the SSL certificate is active.
-
Confirming DNS is correctly pointing to the Load Balancer (and Cloudflare proxy is off).
-
Toggling IAP on the backend service.
-
Disabling/re-enabling the IAP API at the project level.
-
Deleting and recreating the entire Load Balancer from scratch.
-
Granting the necessary roles/run.invoker to the compute-system service account for Cloud Run invocation.
I can’t think of anything else to check or try. The Gemini Cloud Assist bot has been super helpful, assuming it’s advice and directions have been correct but everything so far has seemed logical, and there are no obvious errors in the Cloud Console so I don’t know what’s gone wrong.
Any help would be greatly appreciated.